Shorewall users - Jan 2004 - ppp0 and eth0 FORWARD:REJECT and OUTPUT:REJECT

Hello shorewall gurus, I have been using shorewall for quite some time
successfully. I have two nics: eth0 and eth1. As you may expect eth0 is the
public internet and eth1 is on my Class C subnet lan which is a mix of Linux and
NT boxes. I have configured pppd to run as a server and remote dialup logins are
successfull with the expected connection. However, routing of data packets is
hendered by the shorewall rules as expected and acces to the internet and dns
lookups are blocked. The shorewall logwatch snippet follows here:

Jan  8 15:15:43 INPUT:REJECT:IN=ppp0 OUT= SRC=192.168.1.11 DST=208.240.66.101
LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=436 PROTO=UDP SPT=1044 DPT=53 LEN=44

Jan  8 15:15:43 OUTPUT:REJECT:IN= OUT=ppp0 SRC=208.240.66.101 DST=192.168.1.11
LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=0 DF PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.11 DST=208.240.66.101 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=436
PROTO=UDP SPT=1044 DPT=53 LEN=44 ]

Creating a MASQ rule does not work because the interface ppp0 only exists during
a successfull dialin/login. I do not want to open my firewall up to Class C
traffick. I have seen ipchains forwarding rules that can be inserted in realtime
w/o restarting ipchains. Is there something similar for shorewall? Please
advise, David.

On Thursday 08 January 2004 01:09 pm, David W. Brown
wrote:
> Hello shorewall gurus, I have been using shorewall for quite some time
> successfully. I have two nics: eth0 and eth1. As you may expect eth0 is the
> public internet and eth1 is on my Class C subnet lan which is a mix of
> Linux and NT boxes. I have configured pppd to run as a server and remote
> dialup logins are successfull with the expected connection. However,
> routing of data packets is hendered by the shorewall rules as expected and
> acces to the internet and dns lookups are blocked. The shorewall logwatch
> snippet follows here:
>
> Jan  8 15:15:43 INPUT:REJECT:IN=ppp0 OUT= SRC=192.168.1.11
> DST=208.240.66.101 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=436 PROTO=UDP
> SPT=1044 DPT=53 LEN=44
>
> Jan  8 15:15:43 OUTPUT:REJECT:IN= OUT=ppp0 SRC=208.240.66.101
> DST=192.168.1.11 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=0 DF PROTO=ICMP
> TYPE=3 CODE=3 [SRC=192.168.1.11 DST=208.240.66.101 LEN=64 TOS=0x00
> PREC=0x00 TTL=128 ID=436 PROTO=UDP SPT=1044 DPT=53 LEN=44 ]
>
> Creating a MASQ rule does not work because the interface ppp0 only exists
> during a successfull dialin/login.
Nonsense -- YOU assign the IP addresses to the remote systems so you can place 
the following in /etc/shorewall/masq:

eth0      <subnet assigned to dialin>        [ <IP address of eth0>
]

Remember that the second column in /etc/shorewall/masq *doesn''t have to
be an
interface name*.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net